kubectl-datree
Overview
This kubectl plugin extends the Datree CLI's capabilities to allow scanning resources within your cluster for misconfigurations.
Use cases
- Reveal unknown configuration issues
- Get ready for future k8s version upgrade
- Enforce standards and best practices
Supported Platforms
This plugin supports MacOS and Linux.
Installation
Via Krew
- Install krew
- Install the datree plugin:
kubectl krew install datreeManual installation
- Download the installation script from this repository.
- Open a terminal at the location of the script.
- Run
/bin/sh manual_install.sh(an administrator password will be required to complete the installation).
Usage
kubectl datree test [datree CLI args] -- [options]Arguments:
datree CLI args:
This plugin supports all of the Datree CLI arguments: https://hub.datree.io/cli-arguments
options:
[-n <namespace>] Test all resources in the cluster belonging to the specified namespace
[--all] Test all resources in the cluster
When using '--all', you can specify namespaces to exclude using '--exclude <namespace> --exclude <namespace2>'
[<resource type> <resource name> <namespace>] Test a single resource in the cluster
Running 'kubectl datree test' with no arguments is equivalent to 'kubectl datree test -- -n default'Specification
The plugin supports the following resource types:
- Pod
- Service
- Ingress
- Daemonset
- Deployment
- Replicaset
- Statefulset
- Job
- CronJob
- CRD (not the custom resource itself, but its definition)
:warning: When running against a given namespace, only resources of these types will be checked.
Examples
The following command will fetch all resources within the namespace exmpl, and execute a policy check against them:
kubectl datree test -- -n exmplThe following command will fetch the resource of kind Service named myAwesomeService in namespace mySweetNamespace, and execute a policy check against it using k8s schema version 1.22.0:
kubectl datree test -s "1.22.0" -- service myAwesomeService mySweetNamespaceThe following command will fetch all resources from all namespaces in the cluster except for 'default':
kubectl datree test -- --all --exclude defaultExample test with no misconfigurations:
